Preventing dictionary attacks on a web application

Posted by Kevin Pang on Stack Overflow See other posts from Stack Overflow or by Kevin Pang
Published on 2010-05-07T06:28:12Z Indexed on 2010/05/07 6:38 UTC
Read the original article Hit count: 185

Filed under:

security

What's the best way to prevent a dictionary attack? I've thought up several implementations but they all seem to have some flaw in them:

Lock out a user after X failed login attempts. Problem: easy to turn into a denial of service attack, locking out many users in a short amount of time.
Incrementally increase response time per failed login attempt on a username. Problem: dictionary attacks might use the same password but different usernames.
Incrementally increase response time per failed login attempt from an IP address. Problem: easy to get around by spoofing IP address.
Incrementally increase response time per failed login attempt within a session. Problem: easy to get around by creating a dictionary attack that fires up a new session on each attempt.

Related posts about security

sudo apt-get update errors

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Here is what I get on my terminal when running sudo apt-get update errors. I dont know if the issue is from my sources.list or my proxy setup(have not made any changes to proxies). Thank you for any help in advanced. Ign http://security.ubuntu.com oneiric-security Release.gpg Ign http://security… >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Devx - Search for 'Devx'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Internet.com - Search for 'Internet.com'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
StackOverFlowError while creating Mac object on AS400/Java

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello all, I am a newbie to AS400-Java programming. I am trying to create my first program to test the implementation of Message Authentication Code (MAC). I am trying to use the HMACSHA1 hash function. My (Java 1.4) program runs fine on a dev box (V5R4).But fails terribly on the QA box (V5R3). My… >>> More
Google App Engine - Spring Security Issue (java.security.AccessControlException)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm currently getting the AccessControlException below when I deploy to app engine (I don't see it when I run in my local environment). I'm using GAE 1.3.1, Spring 3.0.1, and Spring Security 3.0.2. Any ideas how to get around this issue? It appears to be an issue with Spring Security trying to get… >>> More

Developer IT

Preventing dictionary attacks on a web application - Developer IT

Preventing dictionary attacks on a web application

security

Related posts about security

sudo apt-get update errors

The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

StackOverFlowError while creating Mac object on AS400/Java

Google App Engine - Spring Security Issue (java.security.AccessControlException)

Categories cloud